Microsoft's Trustworthy Computing, Security Still Priority 10 Years Later

Panned as a hollow public relations campaign 10 years ago, Microsoft's Trustworthy Computing initiative has improved Windows products and introduced new standards for developing secure software.

In 2002, then-CEO Bill Gates
wrote a letter to every Microsoft employee stating that product security was a
top priority for the software giant. While the fight against attackers is not
over, the company has advanced significantly in making it harder to compromise
the operating system and associated software, according to security experts in
and out of Microsoft.
Gates sent the email to all
employees on Jan. 15, 2002, outlining the Trustworthy Computing initiative and
called on employees to deliver products that were "as available, reliable
and secure as standard services, such as electricity, water service and
telephony."

At the time of the email,
Windows systems around the world were under siege by fast-replicating and
destructive worms and viruses such as CodeRed, Nimda, "I Love You,"
and "Anna Kournikova." CodeRed used buffer overflows to exploit
vulnerabilities in Windows Server's Internet Information Services (IIS) Web
server and infected more than 300,000 computers.

Gates ordered everyone in
the company to stop and begin focusing on security. If there is a choice
between adding features and resolving security issues, the company would
"choose security," Gates wrote. Microsoft needed to emphasize
security "out of the box" and also "constantly refine and
improve" the products because threats will evolve, according to the memo.
"If we don't do this,
people simply won't be willing-or able-to take advantage of all the other great
work we do," Gates wrote, adding, "We must lead the industry to a
whole new level of Trustworthiness in computing."
Ten years after Gates
outlined the company's three new areas of focus as security, privacy and
reliability, these areas remain "just as important" as organizations
move to the cloud, government roles evolve and new cyber-threats emerge,
Adrienne Hall, Microsoft's general manager of TwC, wrote on the Trustworthy Computing blog Jan. 12.
Microsoft's Trustworthy
Computing initiative permeates all parts of the company and touches upon many
areas, including building security into products and services right from the
design phase, regularly updating products and services, researching new and
emerging threats, developing security products and working with law
enforcement, Hall wrote. Under TwC, developers receive training on how to
exploit migrations, and there are regular outreach efforts to external security
researchers who probe the company's products for weaknesses. Security runs
through Microsoft employees' veins, and Hall said, "It truly is in our
DNA."